Sigstore cosign integration

As a component of the Sigstore project, the cosign command supports container signing, verification, and storage in an Open Container Initiative (OCI) registry to move data center operations towards a signatures invisible infrastructure. The stated purpose for the sigstore project is to empower developers to securely sign software artifacts, such as release files, binaries, container images, binaries, bill of material manifests, and more. See sigstore Overview, Cosign Overview, and cosign on GitHub.

The Sigstore > cosign project supports PKCS#11 so signing operations can happen within PKCS#11-enabled environments, such as Venafi CodeSign Protect and other HSM solutions. CodeSign Protect's certificate and key pair environments have been tested and verified as compatible.

NOTE  The following documentation provides environment-specific commands and examples for setting up and using cosign. Make sure to replace the example names, paths, and variables with those appropriate for your environment.

Prerequisites

  • Sigstore cosign 1.3 or newer.

  • CodeSign Protect 21.4 or newer.

  • Access to container registry, e.g. Docker Hub.

Steps

  1. Make sure that CodeSign Protect client 21.4 or newer is properly installed with PKCS#11 configured on the signing workstation.

  2. Download and install cosign 1.3 or newer. Make sure the version has support enabled for PKCS11key, which is specified by pivkey-pkcs11key in its filename. For example, https://github.com/sigstore/cosign/releases/download/v1.8.0/cosign-linux-pivkey-pkcs11key-amd64.

  3. List tokens.

    cosign pkcs11-tool list-tokens --module-path /usr/local/lib/venafipkcs11.so

  4. List key URIs.

    cosign pkcs11-tool list-keys-uris --module-path /Library/Venafi/CodeSigning/lib/venafipkcs11.so

    EXAMPLE OUTPUT

    Object 0

    Label: MyLabel

    ID: 446576656c6f706d7669726f6e6d656e

    URI: pkcs11:token=Remote%20Token;slot-id=0;id=%44%65%76%65%6c%6f%70%6d%65%6e%74;object=Development?module-path=/usr/local/lib/venafipkcs11.so&pin-value=34

  5. Sign a container manifest.

    ./cosign sign --key "pkcs11:token=Remote%20Token;slot-id=0;id=%44%65%76%65%6c%6f%70%6d%65%6e%74;object=MyLabel?module-path=/usr/local/lib/venafi/venafipkcs11.so&pin-value=sdf" pathname/my-dashboard

  6. List key URIs.

    ./cosign verify --key "pkcs11:token=Remote%20Token;slot-id=0;id=%44%65%76%65%6c%6f%70%6d%65%6e%74;object=MyLabel?module-path=/usr/local/lib/venafi/venafipkcs11.so&pin-value=sdf" pathname/my-dashboard

Troubleshooting

For enhanced troubleshooting, you can enable detailed PKCS#11 logging by substituting <library_path>/venafipkcs11.so with <library_path>/venafipkcs11spy.so.

FAQ

  • What CodeSign Protect environments are compatible?

    Certificate and key pair environments have been tested and verified to be compatible.